IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-11 00:31:56 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix ca less IPA install on fips mode

Browse Source 
When ipa-server-install is run in fips mode and ca-less, the installer
fails when the keys are provided with --{http|dirsrv|pkinit}-cert-file
in a separate key file.

The installer transforms the key into PKCS#8 format using
openssl pkcs8 -topk8
but this command fails on a fips-enabled server, unless the options
-v2 aes256 -v2prf hmacWithSHA256
are also provided.

Fixes:
https://pagure.io/freeipa/issue/7280

Reviewed-By: Christian Heimes <cheimes@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2017-11-23 18:06:56 +01:00
parent f528a44865
commit 19138c5ba3
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ipapython/certdb.py
View File

@ -605,9 +605,13 @@ class NSSDatabase(object):
"Can't load private key from both %s and %s" % "Can't load private key from both %s and %s" %
(key_file, filename)) (key_file, filename))
# the args -v2 aes256 -v2prf hmacWithSHA256 are needed
# on OpenSSL 1.0.2 (fips mode). As soon as FreeIPA
# requires OpenSSL 1.1.0 we'll be able to drop them
args = [ args = [
paths.OPENSSL, 'pkcs8', paths.OPENSSL, 'pkcs8',
'-topk8', '-topk8',
'-v2', 'aes256', '-v2prf', 'hmacWithSHA256',
'-passout', 'file:' + self.pwd_file, '-passout', 'file:' + self.pwd_file,
] ]
if ((label != b'PRIVATE KEY' and key_password) or if ((label != b'PRIVATE KEY' and key_password) or